s4:provision - Bump down the domain and forest level to Windows 2000

Matthias Dieter Wallnöfer mdw at samba.org
Mon Sep 21 03:41:59 MDT 2009

Yeah, abartlet I understood your arguments.

Well, the domain controller function level change was silly - though. To 
revert it cleanly I need also to adapt it in the "libcli" library which 
is used when we itself join as a DC.

Regarding the domain/forest function level - I personally - don't see 
much problems since I wrote the "domainlevel" tool as step-up. Also per 
default Windows Server uses the lowest supported level and you can 
step-up afterwards. Maybe it was not right to step-down to Windows 2000 
compatibility; therefore Windows 2003 compatibility could be the right 

So for now I accept your change there but I would like to discuss that 
another time.


Andrew Bartlett schrieb:
> On Fri, 2009-09-18 at 10:51 -0500, Matthias Dieter Wallnöfer wrote:
>> commit 89f5df6fa7cca1aaec81e29b8777bab5b4068003
>> Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
>> Date:   Fri Sep 18 16:21:29 2009 +0200
>>     s4:provision - Bump down the domain and forest level to Windows 2000
>>     - The DC level we keep on Windows Server 2008 R2 (we should call ourself
>>       always the newest server type)
>>     - The domain/forest level we set to the minimum (Windows 2000 native) to
>>       allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
>>       mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
>>       set always to 0
>>     - I'll add a script which allows to bump the DC level (basically sets the
>>       "msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
>>       on the "DC" object)
> Matthias,
> I'm puzzled as to why we needed to change the default functional level
> here.  Perhaps I'm missing something, but what was wrong with the old
> default?  
> I'm quite happy to have options in our provision to set the domain
> functional level (certainly between Windows 2003 and Windows 2008
> level), and have scripts to change it, but the default should not be
> changed without discussion on the list. 
> Similarly, we should not advertise a higher server functional level
> without carefully considering and discussing the consequences.   
> I'm sorry to have to be so picky about this, but we need to work a bit
> closer to review your changes for their broader impact.  We have a big
> week of testing coming up at Microsoft, and changes like this mid-week
> could really throw a spanner in the works. 
> Andrew Bartlett

More information about the samba-technical mailing list